Analysis
-
max time kernel
104s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 05:11
Static task
static1
Behavioral task
behavioral1
Sample
59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe
Resource
win7-20220718-en
General
-
Target
59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe
-
Size
3.6MB
-
MD5
852f308c246c8ee3149ec7414c6fea7f
-
SHA1
49cef2f0d76a122d464324b4b73bf255212548d7
-
SHA256
59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8
-
SHA512
3dcef726e29576602f755ba7b98caea9c2f03f5b801d1bb0177d4d412eab8cc6958ec55d7ce8083f8c7f6fc2edc2028c5d0615c48ac90e89ac71f858de5c88b8
Malware Config
Extracted
vidar
9.5
231
http://bestpolandhotels.com/
-
profile_id
231
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1924-67-0x0000000000400000-0x00000000008B1000-memory.dmp family_vidar behavioral1/memory/1924-84-0x0000000000400000-0x00000000008B1000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
Processes:
busshost.exeYTLoader.exepid process 1924 busshost.exe 952 YTLoader.exe -
Loads dropped DLL 8 IoCs
Processes:
59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exeWerFault.exepid process 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exedescription ioc process File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe File created C:\Program Files (x86)\LetsSee!\Uninstall.ini 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1612 952 WerFault.exe YTLoader.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
busshost.exeYTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 busshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString busshost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
busshost.exepid process 1924 busshost.exe 1924 busshost.exe 1924 busshost.exe 1924 busshost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YTLoader.exedescription pid process Token: SeDebugPrivilege 952 YTLoader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exeYTLoader.exedescription pid process target process PID 1956 wrote to memory of 1924 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe busshost.exe PID 1956 wrote to memory of 1924 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe busshost.exe PID 1956 wrote to memory of 1924 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe busshost.exe PID 1956 wrote to memory of 1924 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe busshost.exe PID 1956 wrote to memory of 952 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe YTLoader.exe PID 1956 wrote to memory of 952 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe YTLoader.exe PID 1956 wrote to memory of 952 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe YTLoader.exe PID 1956 wrote to memory of 952 1956 59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe YTLoader.exe PID 952 wrote to memory of 1612 952 YTLoader.exe WerFault.exe PID 952 wrote to memory of 1612 952 YTLoader.exe WerFault.exe PID 952 wrote to memory of 1612 952 YTLoader.exe WerFault.exe PID 952 wrote to memory of 1612 952 YTLoader.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe"C:\Users\Admin\AppData\Local\Temp\59274c6c2cddb575e155880d50990fb75a66204af22a24e6f798febb30c409c8.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 11803⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
647KB
MD5d8f872b975a781c179e616844b8fcda6
SHA1c90a9d46dbb216cacb3c6de9f884a1707dd16ff3
SHA256f3005949682460d4095237758b8756bb323131bc49df4a9e1230201cf1894be1
SHA5129a71f22b785ccdabefcb18127a543108fdb223e9c3837d68be9816c6d6ab03019f4d126695950bf7e65bf041c2f499918873a01b28da6a5f866b07e90773cbaf
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
647KB
MD5d8f872b975a781c179e616844b8fcda6
SHA1c90a9d46dbb216cacb3c6de9f884a1707dd16ff3
SHA256f3005949682460d4095237758b8756bb323131bc49df4a9e1230201cf1894be1
SHA5129a71f22b785ccdabefcb18127a543108fdb223e9c3837d68be9816c6d6ab03019f4d126695950bf7e65bf041c2f499918873a01b28da6a5f866b07e90773cbaf
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
647KB
MD5d8f872b975a781c179e616844b8fcda6
SHA1c90a9d46dbb216cacb3c6de9f884a1707dd16ff3
SHA256f3005949682460d4095237758b8756bb323131bc49df4a9e1230201cf1894be1
SHA5129a71f22b785ccdabefcb18127a543108fdb223e9c3837d68be9816c6d6ab03019f4d126695950bf7e65bf041c2f499918873a01b28da6a5f866b07e90773cbaf
-
memory/952-73-0x0000000000650000-0x000000000065A000-memory.dmpFilesize
40KB
-
memory/952-79-0x0000000000740000-0x0000000000748000-memory.dmpFilesize
32KB
-
memory/952-70-0x0000000005240000-0x000000000569A000-memory.dmpFilesize
4.4MB
-
memory/952-71-0x0000000000320000-0x0000000000330000-memory.dmpFilesize
64KB
-
memory/952-72-0x0000000000640000-0x000000000064A000-memory.dmpFilesize
40KB
-
memory/952-60-0x0000000000000000-mapping.dmp
-
memory/952-74-0x0000000000670000-0x000000000067A000-memory.dmpFilesize
40KB
-
memory/952-75-0x0000000000680000-0x0000000000688000-memory.dmpFilesize
32KB
-
memory/952-76-0x00000000006D0000-0x00000000006DE000-memory.dmpFilesize
56KB
-
memory/952-77-0x0000000000720000-0x0000000000728000-memory.dmpFilesize
32KB
-
memory/952-78-0x0000000000730000-0x0000000000738000-memory.dmpFilesize
32KB
-
memory/952-68-0x00000000001E0000-0x00000000001EA000-memory.dmpFilesize
40KB
-
memory/952-80-0x00000000007D0000-0x00000000007D8000-memory.dmpFilesize
32KB
-
memory/952-81-0x0000000000830000-0x0000000000838000-memory.dmpFilesize
32KB
-
memory/952-82-0x00000000008C0000-0x00000000008C8000-memory.dmpFilesize
32KB
-
memory/952-65-0x0000000000330000-0x0000000000638000-memory.dmpFilesize
3.0MB
-
memory/1612-85-0x0000000000000000-mapping.dmp
-
memory/1924-84-0x0000000000400000-0x00000000008B1000-memory.dmpFilesize
4.7MB
-
memory/1924-67-0x0000000000400000-0x00000000008B1000-memory.dmpFilesize
4.7MB
-
memory/1924-66-0x0000000000260000-0x0000000000360000-memory.dmpFilesize
1024KB
-
memory/1924-83-0x0000000000260000-0x0000000000360000-memory.dmpFilesize
1024KB
-
memory/1924-57-0x0000000000000000-mapping.dmp
-
memory/1956-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB